Slashdot Mirror

Browsers only warn on non-ssl sites if you are submitting data back to them. Not a single one warns if you don't do that.

Several JavaScript APIs are restricted to secure contexts only, even if they do not submit data back to the site. One is Service Workers, needed for offline use. Others include Bluetooth, MIDI, and Presentation.

Search results for "referer"

Try Firefox, tab management and scrolling has been a "feature" for quite a long time now;

and Firefox Quantum (v57+) is generally faster than Chrome if not the same, and uses less memory on Windows.

Humms, sadly, you're right... Firefox isn't blocking domains based on hosts file :/
I'm using OpenDNS for blocking various domains too, so didn't notice.

Just checked and it appears both IE11 as well as latest Google's Chrome browser are honouring the hosts file.

Shocking.

The best I could do was to enable "display URL on hover" in my favorite browser, and hope that the URLs were at least somewhat self-identifying.

Yikes. I can't imagine a browser being my favorite if it didn't already display the URL on hover, by default.

I'm so glad that they've focused so much attention on Firefox (still my favorite browser by far, though it was painful there for a while). It sounds like the criticisms of this web site are reasonable (I haven't bothered to look), and that's a pity.

But wholesale dismissal of Mozilla--a company which has really picked itself back up and has been doing great things again for the last couple years--based on one crappy web site isn't right (though perhaps understandable if you had poor experiences with some past versions of their browsers), and it seems strange that they would produce something of the sort. https://developer.mozilla.org/ (MDN) is a counter-example of a fantastic web resource that Mozilla provides, which is why you'll often find it at the top of the results when searching for things related to web development.

I'm so glad we have such a good, free (in every sense) browser that isn't backed by a major data-mining company. Thanks, Mozilla!

while not ideal design -- they went a little gimmicky with the filters and changing smiley face -- just choose a category at the top of https://foundation.mozilla.org... to get identifying captions below each picture.

(and there is 'alt' text for screen readers, btw, it's just not displayed on a hover these days.. 'title' is)

These sorts of sites have existed for decades and there's already an extension for firefox to do this.

https://addons.mozilla.org/en-...

Seems like it does: https://protonvpn.com/support/... This page is already up: https://support.mozilla.org/en...

Thanks, that was my first take, too. But I tested this on three computers, two laptops and a gaming pc, Windows 10 and Windows 7, and the results were similar. There is an issue on bugzilla, opened five moths ago: https://bugzilla.mozilla.org/s...

My guess is that his is just hard and difficult work, and in the Mozilla team there are not too many developers who can do this.

It's really not about the users. It's about cold hard cash flowing from ProtonVPN to the Mozilla Foundation in return for the advertisement and any click throughs it might generate. Ultimately, Mozilla's business model requires they have cashflow to operate, so they need to use partnerships like this or having a search engine paying to be the default for the browser to generate enough of it, albeit with a choice of partnership that is somewhat questionable due to the number of users that will have no interest in the VPN but still have to deal with the notification popups. It's also kinda redundant long term, assuming that Project Fusion's efforts to integrate more functionality from TorBrowser directly into the Privacy Mode code come to fruition.

So which browser do you use?

I feel disappointed by some of the systematic fact distortions I see on K. Rupert Murdoch's noise outlets. I wish I could fire Fox. Fortunately, Mozilla is working on both the browser side and the facts side of that equation.

So which browser do you use?

I feel disappointed by some of the systematic fact distortions I see on K. Rupert Murdoch's noise outlets. I wish I could fire Fox. Fortunately, Mozilla is working on both the browser side and the facts side of that equation.

...I like LIVE BOOKMARKS. They're insecure? How? Seriously? What's the exploit here?

Oh well, time to switch to something different. I found this:

Feedbro.

https://addons.mozilla.org/en-...

It doesn't work with Firefox Sync and makes a mess of your bookmarks history, plus it doesn't work right on Slashdot, but it is the closest you will get to Live Bookmarks.

https://addons.mozilla.org/en-...

Livemarks is the closest thing you will get. It also has some issues and it completely destroys your bookmark history. Yay.

Here's a link with some actual info: https://foundation.mozilla.org...

The Mozilla Foundation raises money from donors who believe they are funding free software development. Then Mozilla spends that money instead on this ideological crusade, and other nonsense such as sponsoring a surfing contest.

Is this money diversion and mission creep ethical?

My opinion:
1. Mozilla has way more money than they need for their core mission.
2. Mozilla should not be lecturing anyone on ethics.

I think that this was meant to be the actual link. Or, better still, you could just go to the announcement.

Google is a net newbie, and although they think and act (incorrectly) like they know what they're doing, they want to be a (bad) nanny to everyone. What ever happened to "don't be evil?"

You say this as if Google de-trusting this CA in October is a Google choice.

FireFox limited trust for this CA back in May already, and will be revoking it in October as well.

May 2018 (Firefox 60): Websites will show an untrusted connection error if they have a TLS cert issued before 2016-06-01 that chains up to a Symantec root.
October 2018 (Firefox 63): Removal/distrust of Symantec roots, with caveats described below.

Only Microsoft hasn't announced intent to do so for IE/Edge, in violation of the certificate authority standards I might add.

There are clear rules CAs must follow and they are not ignorant of this.
Symantec knew full well they would have all of their CA certs revoked from all web browsers the second they sold wildcard certificates for traffic interception systems.

This is no ones doing other than Symantec.

Some of it is implied access. For example, if a phone rotates from portrait to landscape mode, it'll typically re-layout the page to fit the new aspect ratio. It then becomes trivial for Javascript to determine that the phone has been rotated.

As far as stuff like the proximity and lighting sensors, there are direct APIs and I couldn't tell you why phones give developers access to those by default.

https://addons.mozilla.org/en-...

If you have Firefox on the mac, check out this extension:
https://addons.mozilla.org/en-...

It basically allows you to darkify (is that a word?) all websites. ALL of them. It has a slider if you want to play with the intensity of the darkifying. You can exclude certain sites, of course. With a whitelist. Yea no, I'm not kidding, it's called a whitelist.

Why are you surprised? You should assume that when using chrome any website you touch is reported back to google, including page links you hit, something they're extremely interested in.

Do you know what a user agent string is?

The User-Agent request header contains a characteristic string that allows the network protocol peers to identify the application type, operating system, software vendor or software version of the requesting software user agent.

https://developer.mozilla.org/...

Sheesh. FUD much?

When not much is changing on a page—for example, when there’s just a single blinking cursor—the browser will do the least amount of work possible."

I think you must have missed the part in that article about z-culling. It's a different way of drastically reducing the amount of work necessary and the proof is in the pudding: smooth 60fps efficiently using the hardware acceleration available beats janky rendering that inefficiently leverages the available hardware.

Theory and practice are not the same though. Check the actual docs and videos on webrender. The DOM + Compositing process currently used to re-render a single pixel is more expensive than cutting out that entire code path and rendering the entire scene. If you're only thinking of the final piece of pushing the actual pixel to the screen, that's the quickest part of the entire process. Figuring out what value that pixel should have in the first place is where all the CPU time is currently being consumed. That's the whole reason they're doing this the way they are.

Check the actual docs and videos on webrender. The DOM + Compositing process currently used to re-render a single pixel is more expensive than cutting out that entire code path and rendering the entire scene.

The actual docs say the opposite. "The optimizations above have helped pages render faster in certain cases. When not much is changing on a page—for example, when there’s just a single blinking cursor—the browser will do the least amount of work possible."

This is practice, not theory. Again, don't get me wrong, I like this a lot, but for some cases it will eat a lot more battery than incremental render. Whether that is a problem in practice remains to be seen. My guess: not a problem even on handsets, and perceptibly smoother browsing. I'll take it.

Everyone of them came preloaded with GApps and none of them was properly configured to just mount a flash drive if attached. In the case of the small devices they didn't even have USB-A sockets so without an adapter it's good luck putting software on them without intermediate steps.

When you visit https://ftp.mozilla.org/pub/mo... and download the latest Firefox apk (using whatever crappy browser your device came with), does the Play Store pop up, and request that you use Chrome instead when you try to install it?

Why do you ask questions if you aren't going to read the answers that were already given let alone the repeats ?

As I already said

https://www.amazon.com/Perform... [amazon.com] this tablet was actually locked down and is either by google or the manufacturer unable to operate any browser other than Chrome and an old version of that.

It's considerably worse.

Everyone of them came preloaded with GApps and none of them was properly configured to just mount a flash drive if attached. In the case of the small devices they didn't even have USB-A sockets so without an adapter it's good luck putting software on them without intermediate steps.

When you visit https://ftp.mozilla.org/pub/mo... and download the latest Firefox apk (using whatever crappy browser your device came with), does the Play Store pop up, and request that you use Chrome instead when you try to install it?

Nobody is stopping you from disabling JavaScript.

A well thoughout progressive web app can (and some argue should) also progressively degrade and continue to render content in some fashion (especially if it is public, and not behind authentication).

Although, I suspect you may be fighting a losing battle. HTML + JS (Web Assembly) + CSS (and other exciting agreed upon technologies) is a platform. Scripting is here to stay.

It is a marketing term for a collection of technologies (the main one being Service Workers).

I'm sure there are all kinds of uses for them, but the most obvious and easiest is for a domain to be able to cache its existing assets in the browser, and then to respond to requests on behalf of the web page (also cached) while offline.

You can use the built-in Reader View for a lot of pages, but it's not available for all pages. It depends on the page structure.

And the managing of the account that allows anyone who controls it to send automatic updates of arbitrary code to hundreds of thousands, perhaps millions of customer devices, is not as important?

Do you also realise that having the publisher sign the code too requires the device to explicitly trust the publisher, or trust someone else who has signed their certificate?

Mozilla realised this is pointless, you may as well sign it with the party the browser already trusts. You don't sign your own extensions anymore. You use an API to have Mozilla sign them now. This changed in Firefox 43, back in 2015. It's great to see you've kept up with things.
https://developer.mozilla.org/...

Haven't browsers had variable fonts since the introduction of CSS?

No, and they still haven't. What they call variable fonts is just a packaging hack -- more than one typeface in the same file.

What I expected was the implementation of an algorithm that will stretch the letters instead of "justifying" (filling up with spaces). That was done in western typography since Gutenberg.

Something like kashida in Arabic, but less dramatic. I know that this kind of microtypography was supported in LaTeX since at least a decade. Is stuff like this supported in CSS? Will it ever be?

Just noticed integrated tracking protection - kind of nice

Here's one example, the first google result I got when I searched "firefox exploit access local files"
https://blog.mozilla.org/secur...

Would this have been an exploit if Firefox had locked down local file access?

Here's another one, reported to the tor project, which was using Firefox
https://hackerone.com/reports/...

How does APK work with DNS over HTTPS https://blog.nightly.mozilla.o... ?
Once this is enabled by default, it will bypass the operating system's DNS resolution, bypassing APK Host files.

Javascipt has pretty much ended that.

For a while now, you connect to a web site and the site then loads its own libraries and executable code, as well as libraries and executable code from any number (I've seen 30+) of third party sites.

You basically have no chance of understanding what's being done with your resources or to your machine (or your personal information) if you're letting sites run javascript on your machine.

You can mitigate this somewhat with plugins like noscript, but you'll still need to manually whitelist most of the sites you visit and then painstakingly reenable third party sites and reload until the site you're trying to run actually works. And now that I use the term here, "site" isn't even applicable anymore as you're not going to a place so much as inviting a bunch of unknown coders into your own house to do who-knows-what with your information, tools, and resources.

And no, it's not just a theoretical problem: https://blog.mozilla.org/secur...

Here it is: TrackMeNot.

Well "..." is the spread operator in Javascript, here's =!=, it seems plausible that "+-+" might be interpreted as x+(-(+y)) which collapses to "x-y". Not sure about -+/* but Ruby should get a honorable mention for %/%. The most annoying thing about operators though is not each one, it's the precedence rules. For example in SQL "WHERE a OR b AND c = 1" when you mean "WHERE (a OR b) AND c = 1. I really, really wish some smart language would say "fuck that, we're not making obscure rules nobody remembers/notices are invoked" and just throws a syntax error, here's ambiguity so resolve it explicitly with parentheses. That would be the sane solution for all future maintenance. Also I'd like to ban the singular "=" operator, use "==" for comparison and ":=" for assignment, you can keep the mixed ones like "+=".

Bug #1291841 is what's stopping all the cookie-management add-ons from working with the new API. Which in turn is why I, and many others, continue to use "legacy" add-ons and FF 56.

Hey, mozilla.org, how about you make the shiny new add-on API workfirst!

Is it possible for Mozilla to remotely disable the add-ons in Firefox ESR 52 after they have been removed from the add-on website ?

For example, can Mozilla disable them by adding them to a blacklist which causes Firefox to disable them ?

Yes, to some extent, but as far as I know it is only a soft-block and you can always choose to re-enable the addon. This functionality is controlled by the extensions.blocklist configuration entries, including extensions.blocklist.enabled which can be used to disable the feature altogether.

For Firefox 56 at least, you can see the list at https://blocked.cdn.mozilla.net. Not sure about newer versions.

Has nobody seriously made anything even remotely similar to DTA?
Surely the WebExtensions APIs expose the file API for mass downloads?
Browsers natively support segmented downloads (download resume) and multi-part downloads. At least I think so, for the latter part. I am sure you can specify an offset for downloads. Yep it does.
I'd be surprised if nothing out there replicated it by now.
I haven't bothered looking myself since I don't download loads of files like I used to.

One I do wonder about is file stream interception downloaders like your downloaders that can get file streams from Flash, video elements or whatever file extension you specify.
VideoDownloader was one I remember using.
Obviously the Flash won't work since sandboxed (and soon to be dead anyway), but I wonder if there is a way to check for ANY resources being loaded as they are being loaded in to the document.
I know there are a bunch of listeners and other things that monitor changes to the document or data, but I am not sure if there are ones for monitoring new connections.
It's an area of JS I haven't really touched on myself besides the basic listeners for input and such.
Anyone know?

The demotion of Thunderbird may be similarly explained by Google's influence, because the application competes with GMail's web-interface.

That makes no sense. Thunderbird is an offline email client. No one who uses it is going to switch to a web-based client if Thunderbird dies. Instead they will find a new offline client.

Saying that Thunderbird competes with GMail is like saying cars compete with motorcycles because they both use roads, while completely ignoring the reasons that car drivers chose a car and not a motorcycle.

Two things keep me on Firefox 52:

1. Debian's preference for the oldest supported ESR version
2. The fact that Mozilla still hasn't fixed bug 1325692 that blocks WebExtension-based successors to Keybinder from being able to effectively unbind the Ctrl+Q=quit shortcut on Linux

based on the Chrome-compatible WebExtensions API

Could it be, the switch is one of Google's condition for financing Mozilla? To make it easier for users to switch to Chrome?

The demotion of Thunderbird may be similarly explained by Google's influence, because the application competes with GMail's web-interface.

But, at least, they no longer have a homophobe running the show so they have that going for them, which is nice.

based on the Chrome-compatible WebExtensions API

Could it be, the switch is one of Google's condition for financing Mozilla? To make it easier for users to switch to Chrome?

The demotion of Thunderbird may be similarly explained by Google's influence, because the application competes with GMail's web-interface.

But, at least, they no longer have a homophobe running the show so they have that going for them, which is nice.

Do people in a wheel chair need a browser with a ramp? I don't think it affects browsing much

Say what?

If user can't control mouse I don't see what browser developers can do about it.

https://support.google.com/chromebook/answer/177893#autoclick
https://support.google.com/chromebook/answer/177893#tapdrag
https://support.mozilla.org/en-US/kb/mouse-shortcuts-perform-common-tasks

That's a long comment to say "things have changed at FF and not for the better".

Depends on your definition of better. The code base is a lot cleaner and a lot of the underlying components no longer have crazy interactions with each other. They aren't quite to the point of easily being replaced in and out (loosely coupled) but they are a whole hell of a lot simpler to make changes in one without completely breaking the others. I'll side step multiple threads and what not. But compared to where the code base was, the browser's code is a whole hell of a lot better.

The browser is larger than before, slower than before

I don't know what you mean in size, pure size, RAM usage?? I'm going to go with RAM since that usually what most people point a finger to. Memory usage is an issue in all browsers, and that's not an excuse. However, memory issues have plagued Firefox for quite some time now, here's one example for starters. RAM usage in browsers is a complex topic that's not just a "Mozilla, Google, Microsoft" changed something and now everything breaks. Browsers are being asked very complex things by JavaScript frameworks, video decoding, complex style sheets, web fonts, and so on. I'll say, I don't have a clear answer for you on that. The web is increasing in complexity and pretty much a Browsers is being asked to be a small self contained VM. Firefox specifically has had to make shifts in what to prioritize for what goes on in the browser. So at one point there was a massive outcry of freezing and slowness, trade off for dealing with that to some extent is more RAM usage. There's a balance to be struck for sure, but even all high and mighty Google engineers have yet to really tackle that well. I will say this, that Palemoon has off and on change with this. Some releases will focus on CPU enhancements and other will focus on RAM enhancements and you can tell which one is which by looking at htop. The web is astoundingly complex and perhaps it shouldn't be that way, or maybe it should be that way and browser devs have just yet to crack a meaningful balance between CPU/memory. As for the slower than before, I've not noticed that, but it really depends on your setup. Again, that has a lot to do with, "can the browser offload tasks to something else?" Which it's still insane to me that we've gotten to a point where webpages are so complex that we need to have offloading workers, but I guess I'm just an old fart.

has less useful extenstions[sic]

Yeah, you might want to read the article you are posting to for that. Devs can do one of two things. One, go ahead hack together an API for that and watch as it is slowly abused to death and we go right back to bad code in the code base. Two, actually put together a well thought out API and stress test it over time to develop a model that is one that will work well without a million hacks. By all means, if there's some contribution you'd like to add, the devs are all ears. But by no means, should the devs hack something together, just so your purple hug bear bar multi-tab manager addon will work. Want to speed that process up? Feel free to send anyone worth their salt who won't duct-tape their API up to make it work over.

has less configuration options exposed

Fun thing, Chrome has a ton of options exposed. Number one complaint I hear from that team is the fact they had to implement a search bar for the configuration since there are so many dang options. Is there a balance? Oh you betcha! No arguments there, but it's literally, "you will always be burned by someone" type thing. about:config and just deal. If there's something you really, really want to see. Put it up on Bugzilla, make a strong argument for it. I'm not saying you are wrong on this, but it's just a such a touchy thing that devs really want a strong argument for

It's Google's fault for trying to strong-arm HTTPS-only.

It's not even only Google. Mozilla is on the same track of deprecating cleartext HTTP, according to its HTTPS FAQ from May 2015.

Some project team at Mozilla, same as the ones that want to ignore your DNS settings and route it all through their selected provider. Or the ones that forced pocket into the browser when it should have been an extension. Maybe even the ones who hilariously run this.

I've been pretty happy with CardDAV support via the CardBook addon, which lets me connect (read/write) to the same contact list as on my smart phone and web mail. CardDAV is an extension of WebDAV and implemented via HTTP rather than LDAP, but it's far more standardized and specialized to contact management.

Perhaps you can connect via CalDAV to a DavMail intermediary that then translates to LDAP. Perhaps your enterprise can maintain a global DavMail server to ease that. See also Bug 86405 comment 86, which extols the virtues of CardDAV.